The California Consumer Privacy Act (CCPA) has triggered a number of other U.S. states to revamp their state privacy laws. Louisiana, Ohio, and Vermont are among the states that have amended their regulations, driving organizations and their third-parties to take a more proactive approach to securing personal information. To help you stay current with these changes and develop processes and policies that address requirements across state borders, we examine these three states’ new requirements and the impact they may have on organizations.
Louisiana's Database Security Breach Notification Law
Amendments to Louisiana’s Database Security Breach Notification Law went into effect on August 1, 2018. This law is applicable to all organizations that “maintain computerized information,” and these amendments include three big changes:
- The expansion of the definition of personal information
- Required notice to affected residents
- New data security and destruction requirements
Personal Information:
Under the revised law, the definition of personal information has been expanded to include social security numbers, driver’s licenses, state identification, financial account numbers, credit/debit card numbers, passport numbers, and biometric data.
Breach Notification:
Prior to these amendments, organizations were only required to provide notification in the event of a breach if the number of affected individuals exceeded 500,000. Now, the threshold is just 100,000 individuals.
These amendments also set a specific timeline for breach notification. Previously, the law simply required organizations to provide breach notification “in the most expedient time possible and without unreasonable delay.” The new requirements specify that notification must be made within 60 days. Third parties are also subject to comply with this timeline. If an organization is unable to meet this obligation, written notice to the Attorney General (AG) is required for an extension.
The state government also issued a flexible notification process, allowing for other means of communication to affected individuals, including e-mail, social media, and a posting on the organization’s website.
Security Requirements:
The updates extend to the safe removal and disposal of personal information if it is no longer being retained or utilized. Security measures should be applied based on the nature of the information, and the regulation identifies specific methods of doing so. Reasonable steps include the shredding, deletion, and erasure of personal information, as well as modifying the data to ensure it’s unreadable and undecipherable.
The Ohio Data Protection Act
The Ohio Data Protection Act passed through legislation in August 2018 and went into effect on November 2, 2018. The goal of the Act is to incite Ohio organizations to strengthen their security measures and better protect against cyberattacks. Unlike Louisiana, this Act does not place minimum data security requirements on organizations, but instead incentivizes voluntary compliance. In addition to its focus on reducing cyber-related incidents, Ohio’s new law places an emphasis on recognizing the legitimacy of blockchain-based electronic signatures. Organizations that access, maintain, communicate, or process personal information fall under Ohio’s regulation.
Compliance Requirements:
Instead of requiring organizations to comply and issuing penalties for non-compliance, Ohio offers incentives to organizations who voluntarily align with industry-recognized cybersecurity frameworks, like the NIST CSF and ISO 27000. The incentive offers a safe harbor for organizations who have had a data breach despite meeting the security standards. The safe harbor is a protection organizations can use if a claim is brought against them in Ohio courts. To qualify for safe harbor, an organization must maintain alignment with one of the several cybersecurity frameworks the Act recognizes.
Breach Notification:
Despite changes in policy, Ohio’s data breach notification system remains the same. In the event of a breach, residents should be informed no later than 45 days past discovery.
The Vermont Data Broker Law
The Vermont Data Broker Law was ratified May 22, 2018, and gives data brokers until January 1, 2019 to become compliant. The purpose of this new law is to regulate organizations that collect, store, and sell consumer data, and provide specific requirements for how they disclose breaches. Vermont is unique because it is the first law in the U.S. targeting data brokers.
Compliance Requirements:
Data brokers are prohibited from acquiring personal identifiable information (PII) by fraudulent means and engaging in discriminatory activities. Disclosure of practices to consumers is an obligation and can be done through the following: providing contact information, allowing opt out of data collection, and notification of breaches. Additionally, this law requires that data brokers register and pay a fee of $100 in order to collect and sell consumer personal information to third parties.
Breach Notification:
Organizations are required to notify affected individuals of breaches no later than 45 days after discovery and provide a statement to the AG within 14 days.
Security Requirements:
Data brokers now have a greater responsibility to protect PII through the development of a comprehensive security program. Processes to ensure security include restricted access to PII, authentication protocols, employee awareness, countermeasures during breaches, and constant monitoring.
Penalties:
Failure to register may result in penalties of $50 per day, no greater than the yearly amount of $10,000, and entitles the AG, or a private citizen, to bring a civil suit against the organization.
Louisiana, Ohio, and Vermont are helping to lead a national trend toward greater data protection. These states place a greater responsibility on organizations to safeguard personal data, recognizing the life-altering damage a lack of protection can cause. Data protection legislation in the U.S. differs greatly by state, which is why organizations (specifically tech companies) are advocating for the implementation of a single federal law.
Whether or not a federal law goes into effect soon, organizations must still focus on implementing pre-emptive measures to substantially decrease the likelihood of a data breach occurring and protect consumer PII. As states begin to recognize the risks surrounding the collection and management of personal data, there will likely be a surge of new state privacy laws, and the plea for a single, federal privacy regulation will likely grow even greater.
Stay On Top of National Privacy Updates
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.